Boeing 787 cockpit. Photo: Boeing
The Department of Homeland Security (DHS), the Pentagon, and the Department of Transportation (DOT) have been working since May to implement the cyber security goals of the National Strategy for Aviation Security, released earlier this year, and to coordinate cyber security priorities.
“In May, the Aviation Cyber Initiative (ACI) was chartered as a tri-chaired task force by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the Department of Transportation,” according to a CISA official. “The ACI mission is to reduce cyber security risks and improve cyber resilience to support safe, secure, and efficient operations of the nation’s aviation ecosystem…Prior to May, CISA led the inter-agency ACI to identify and mitigate cyber vulnerabilities affecting safe operation of commercial airplanes within the National Airspace System (NAS).”
The National Strategy for Aviation Security “directs a risk-based approach to identify and mitigate aviation cyber vulnerabilities impacting the aviation ecosystem, which includes both civil and military aviation,” according to the CISA official. “In support of cyber risk-reduction and resiliency efforts, the aviation ecosystem is an extensive multi-layered network of intersecting elements with integral roles in the aviation domain and involves six primary entities: airports; airlines; aircraft; airlift; actors; and aviation management.”
The Wall Street Journal first disclosed in an article last week that concerns about possible terrorist cyber attacks led U.S. officials “to re-energize efforts to identify airliners’ vulnerability to hacking” and that the new program would involve limited testing of aircraft.
Sister publication Defense Daily reported in 2017 that DHS’ Science and Technology division had bought a Boeing 757 and conducted cyber security testing of the aircraft at the airport in Atlantic City, but the Wall Street Journal article last week reported that such testing ended last year “amid a disagreement with Boeing…over the testing methodology and plans to publicly release some findings.”
In June last year, DHS S&T and CISA “decided to pause the Boeing 757 assessment segment of the ACI to review and validate requirements,” according to the CISA official. “In January 2019, both agencies determined to resume planning for future assessments. The assessments on this aircraft is only one small part of the broader ACI strategy.”
The Wall Street Journal article last week said the U.S. Air Force also plans to scrutinize commercial aviation systems, as the military uses many of them.
Last April, the International Air Transport Association held a cyber security round table in Singapore to discuss such threats. “All aspects of aircraft operations are now connected and digitized whether an aircraft is airborne, operating at an airport or in maintenance,” according to an excerpt from a summary of the round table. “Additionally, the passenger journey is also increasingly digitized not only on the ground but also in the air. From a cyber security perspective, this creates a complex defensive landscape that has to deal with everything, from an insider threat to attacks against space-based assets, such as Global Navigation Satellite System (GNSS).”
“Overlaid on this defensive complexity is a perception that cyber security issues remained potentially siloed across regulators and authorities, making oversight and accountability, challenging. Allied to this, as emerging technology continues to shape the landscape…data integrity attacks, such as spoofing, may become more commonplace.”
For its part, the Federal Aviation Administration (FAA) said that it “requires transport airplane manufacturers to protect critical aircraft systems from Intentional Unauthorized Electronic Interface (IUEI).”
“How different manufacturers design their system architecture to do this is part of their propriety design. In addition to new e-enabled airplanes, every transport airplane with systems that involve Internet Protocol (IP), or have ‘e-enabled’ features as part of their design have had to meet this requirement. The first ‘e-enabled’ airplane was the Boeing 787 [certified in 2011], and it had to meet this requirement. Any in-service airplanes that were modified to add features like WiFi, internet access, and streaming entertainment had to meet this requirement, too,” the FAA said.
At this year’s Black Hat conference in Las Vegas, Ruben Santamarta, a security consultant, presented his findings related to possible flaws in the 787’s core network that he said could allow a hacker access to the airliner’s critical systems.
The FAA said that all air transport designers “use the concepts of fault tolerance, redundancy, graceful degradation of systems, and pilot intervention to ensure safe operation of the airplane.”
“Airplane designers must comply with all applicable regulations and show that enough critical systems are protected such that a pilot can safely operate and land, despite loss of systems,” according to the FAA. “In addition, all transport category airplanes with IP systems must ensure critical systems are protected from IUEI originating either from the passenger domain or from external maintenance ports or data/software uploads. For airplanes that undergo after-market modifications to add IP systems, such as cabin Wi-Fi service or streamed entertainment, the manufacturer of that system must also show it cannot negatively affect critical airplane systems.”
In July, CISA issued an Industrial Control System (ICS) alert on Controller Area Network (CAN) data buses used by aircraft.
“CISA is aware of a public report of insecure implementation of CAN bus networks affecting aircraft,” the alert said. “According to this report, the CAN bus networks are exploitable when an attacker has unsupervised physical access to the aircraft…An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, air speeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
CISA recommended that “aircraft owners restrict access to planes to the best of their abilities.”
“Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector,” according to the CISA ICS alert. “The automotive industry has made advancements in implementing safeguards that hinder similar physical attacks to CAN bus systems. Safeguards such as CAN bus-specific filtering, white listing, and segregation should also be evaluated by aircraft manufacturers.”
No matter what type of data buses are used, “the manufacturer must account for them, and any associated shortcomings, in their avionics and systems designs,” the FAA said.
“There are many ways for manufacturers to protect critical systems, but a robust avionics architecture, one with redundancy, fault tolerance, graceful degradation, is the primary means of protection,” the FAA said.
Asked about the vulnerability of ARINC data buses, including the widely used ARINC-429, and the Aircraft Communications Addressing and Reporting System (ACARS) to cyber attacks, one official said that airliners are able to handle such threats.
“The Airlines Electronic Engineering Committee (AEEC) prepares the ARINC Standards for avionics and related flight systems,” Paul Prisaznuk, the head of ARINC standards development at SAE Industry Technologies Consortia–an affiliate of SAE International–wrote in an email. “However, it is completely up to the many suppliers of avionics to use the ARINC Standards to build equipment in a safe and reliable fashion. They have done so for decades. And today, there is every reason to believe they are implementing the same systems and similar systems with proper attention to safety, reliability, and security, where applicable.”
As for ARINC-429, “there is no path on or off the airplane that would connect an ARINC 429 bus to the outside world,” Prisaznuk wrote. “No attachment point is the best form of security to have. Even onboard the aircraft, ARINC -429’s unique uni-directional communication path makes it very difficult to compromise.”
As for ACARS, “encrypted ACARS is defined by ARINC Specification 823,” Prisaznuk wrote. “It is up to the individual airline to determine if they wish to buy encryption from their service provider. All ACARS message traffic is sent to the airplane with ‘man in the loop’ in most cases substituting for traditional voice communication.”
“Ironically, the most susceptible system on an airplane is GPS – owned by the U.S. DoD,” according to Prisaznuk. “That said, every airliner has (and will continue to have) Inertial Reference Systems to provide safe and secure operation in the unlikely event of GPS outage.”